65 lines
1.4 KiB
Plaintext
65 lines
1.4 KiB
Plaintext
== How to fix it in Node.js
|
|
|
|
=== Code examples
|
|
|
|
The following code is vulnerable to SSRF as it opens a URL defined by untrusted data.
|
|
|
|
==== Noncompliant code example
|
|
|
|
[source,javascript,diff-id=1,diff-type=noncompliant]
|
|
----
|
|
const axios = require('axios');
|
|
const express = require('express');
|
|
|
|
const app = express();
|
|
|
|
app.get('/example', async (req, res) => {
|
|
try {
|
|
await axios.get(req.query.url); // Noncompliant
|
|
res.send("OK");
|
|
} catch (err) {
|
|
console.error(err);
|
|
res.send("ERROR");
|
|
}
|
|
})
|
|
----
|
|
|
|
==== Compliant solution
|
|
|
|
[source,javascript,diff-id=1,diff-type=compliant]
|
|
----
|
|
const axios = require('axios');
|
|
const express = require('express');
|
|
|
|
const schemesList = ["http:", "https:"];
|
|
const domainsList = ["trusted1.example.com", "trusted2.example.com"];
|
|
|
|
app.get('/example', async (req, res) => {
|
|
const url = (new URL(req.query.url));
|
|
|
|
if (schemesList.includes(url.protocol) && domainsList.includes(url.hostname)) {
|
|
try {
|
|
await axios.get(url);
|
|
res.send("OK");
|
|
} catch (err) {
|
|
console.error(err);
|
|
res.send("ERROR");
|
|
}
|
|
}else {
|
|
res.send("INVALID_URL");
|
|
}
|
|
})
|
|
----
|
|
|
|
=== How does this work?
|
|
|
|
include::../../common/fix/pre-approved-list.adoc[]
|
|
|
|
include::../../common/fix/blacklist.adoc[]
|
|
|
|
=== Pitfalls
|
|
|
|
include::../../common/pitfalls/starts-with.adoc[]
|
|
|
|
include::../../common/pitfalls/blacklist-toctou.adoc[]
|